10-29-2001 02:01 PM - edited 07-05-2021 12:06 PM
I would like to use LEAP authentication for my WLAN users via an existing LDAP database, but have been told that this will not work because LDAP does not support any CHAP authentication protocols and this is what the Aironet AP's use. I don't really understand why this response since it will be the ACS server talking to the LDAP server, not the AP. I thought the LDAP server is used only as a group/password database and the ACS server handles the interface to the access point.
Has anyone set up a similar architecture? Or, can anyone give me a more definitive explanation of why this would not work?
Regards,
Blake
11-06-2001 10:42 AM
You are correct, you can NOT use an LDAP database to authenticate. The problem is with the hashing algorithm. Other standards exist, but LEAP is Cisco proprietary and that is one of the issues. If you don't have a ton of users, maybe just create a local database file on your RADIUS server, that works great, or authenticate against an NT domain.
04-30-2002 07:14 AM
I wish to authenticate wireless users with LEAP and ACS 3.0 against an LDAP server.
The ACS User Guide specifies (page 1-9, table 1-2) that password authentication protocol LEAP is not compatible with an LDAP database, the same as stated in previous post of this thread.
However, in a recent TechTalk (Securing and Managing Your 802.11 Wireless Network) there were some questions related to this issue :
- Question 163 : Can you proxy through a Cisco ACS server to a backend LDAP server for username and password authorization?
Answer 163 : Absolutely. Pls see the following URL: http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/ldcsa_wp.htm.
- Question 238 : Can you support LEAP with a backend LDAP server?
Answer 238 : yes!
- Question 301 : When using LEAP, is the password stored in a Cisco ACS stored as a hash or something that can be stored in an LDAP server?
Answer 301 : A hashed password is used, and LDAP does not have support for the hashing algorithm.
Is there any way to use this kind of authentication? Has anyone tried it? Can anyone clarify this point?
Thanks in advance
Javier
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide